As the world becomes increasingly digital, and digitally connected, cyber security continues to grow in importance. In today's world, cyber security is unfortunately asymmetric—and it favors the attacker. One fundamental aspect of the asymmetry today is the inherent “break once, run many” nature of contemporary systems.
This ‘break once, run many’ nature makes the economics of cyber-attacks significantly favor the attacker. The effort applied to find and develop and exploit can be leveraged across a large number of targets. Often times these attacks can be launched remotely from anywhere in the world. To make a cyber-attack worthwhile, the only remaining question is the value of the targeted data or systems.
Malware, or malicious software, is often linked to cyber-attacks. Cyber attackers often take advantage of vulnerabilities in computer programs, and are thus able to infect, damage and often disable the programs with computer viruses, malware and other malicious code.
One common set of techniques for writing malware uses approaches like return oriented programming (ROP) and jump oriented programming (JOP) to literally trick the target into behaving the way the attacker desires. In essence, the victim becomes the virus. Malware based on these techniques can be extremely hard to detect, and as a result, many “Zero Day” malware attacks are based on these techniques.
Fundamentally, malware based on these techniques requires knowledge of the target system. In simple terms, in order to ‘trick’ the victim into becoming the virus, the attacker needs to know very specific details about the victim, including but not limited to, the specific binary instructions used by the victim program.
Prior to this invention, the state of the art to defend against ROP/JOP style attacks was address space layout randomization (ASLR). The goal of this approach is to randomly move binaries into different memory locations, making it more difficult for attackers to know where to find the code needed to create the virus. This approach, while worthwhile, is fairly easy to work around—simply figuring out one number (e.g. a single memory address) is often sufficient to completely defeat ASLR defenses.
There is therefore a long-felt, significant and unmet need in the art for improved methods and systems for preventing and disabling the unwanted effects of malware. As long as targets remain static, attackers will be able to exploit vulnerabilities economically. It is not sufficient to just move binaries around, the binaries themselves need to be different across systems.
While creating unique and different binaries is a difficult problem unto itself, distribution of such scrambled binaries is also a very difficult problem. Many modern computing systems today such as Microsoft Windows, Linux, and Apple Macintosh OS X have a concept of patches with a centralized “system update” type server. These system update servers are typically cloud hosted on the Internet and distribute updates via small files known as “patches”. Patches use a variety of technologies, but fundamentally are based on some concept of comparing the before and after binaries, and sending along just the information needed to update a before binary to the after binary.
Scrambled binaries present a challenge. Solutions to the scrambling problem such as Polyverse create literally billions of different possible binary configurations. Conventional patch mechanisms cannot cope with diversity of that magnitude.